port is not bound on all IPs on the host when using --network=slirp4netns:port_handler=slirp4netns

[guidugli]

I am trying to run PiHole as a rootless container using podman.

Everything was working fine except that the real IPs were not being logged. So I had to switch from rootlesskit to slirp4netns. But now the service cannot be reached by localhost.

Command executed: /usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --rm --sdnotify=conmon --replace --detach=true --name pihole-server -v /opt/pihole/etc-pihole:/etc/pihole:rw -v /opt/pihole/etc-dnsmasq.d:/etc/dnsmasq.d:rw -v /opt/pihole/resolv.conf:/etc/resolv.conf:rw -p 1153:53/tcp -p 1153:53/udp -p 1180:80/tcp --memory=512M --env-file=config.env --network=slirp4netns:port_handler=slirp4netns docker.io/guidugli/pihole-unbound:latest

When using rootlesskit the port is bound to all interfaces:

pihole@pihole:~$ ss -ulpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 *:1153 : users:(("rootlessport",pid=42836,fd=14))

But when using slirp4netns, the service does not respond on localhost:

pihole@pihole:~$ ss -ulpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
UNCONN 0 0 0.0.0.0:1153 0.0.0.0:* users:(("slirp4netns",pid=43755,fd=10))

pihole@pihole:~$ dig google.com @localhost -p 1153
;; communications error to 127.0.0.1#1153: timed out
;; communications error to 127.0.0.1#1153: timed out
;; communications error to 127.0.0.1#1153: timed out
;; communications error to 127.0.0.1#1153: timed out

; <<>> DiG 9.18.12-1-Debian <<>> google.com @localhost -p 1153
;; global options: +cmd
;; no servers could be reached

But it respond on the interface ip:

pihole@pihole:~$ dig google.com @10.14.55.55 -p 1153
; <<>> DiG 9.18.12-1-Debian <<>> google.com @10.14.55.55 -p 1153
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25094
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 300 IN A 142.250.219.206

;; Query time: 140 msec
;; SERVER: 10.14.55.55#1153(10.14.55.55) (UDP)
;; WHEN: Wed Jun 21 15:40:11 -03 2023
;; MSG SIZE rcvd: 55

According to the man page, using the -p option should work this way: If host IP is set to 0.0.0.0 or not set at all, the port is bound on all IPs on the host.

Am I missing something or is this really a bug?

More info:

pihole@pihole:~$ slirp4netns --version
slirp4netns version 1.2.0
commit: 656041d
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.4

pihole@pihole:~$ podman --version
podman version 4.3.1

pihole@pihole:~$ podman info
host:
arch: amd64
buildahVersion: 1.28.2
cgroupControllers:

• cpu
• memory
• pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
  package: conmon_2.1.6+ds1-1_amd64
  path: /usr/bin/conmon
  version: 'conmon version 2.1.6, commit: unknown'
  cpuUtilization:
  idlePercent: 98.08
  systemPercent: 0.97
  userPercent: 0.95
  cpus: 1
  distribution:
  codename: bookworm
  distribution: debian
  version: "12"
  eventLogger: journald
  hostname: pihole
  idMappings:
  gidmap:
  • container_id: 0
    host_id: 1000
    size: 1
  • container_id: 1
    host_id: 100000
    size: 65536
    uidmap:
  • container_id: 0
    host_id: 1000
    size: 1
  • container_id: 1
    host_id: 100000
    size: 65536
    kernel: 6.1.0-9-amd64
    linkmode: dynamic
    logDriver: journald
    memFree: 66723840
    memTotal: 1007693824
    networkBackend: netavark
    ociRuntime:
    name: crun
    package: crun_1.8.1-1+b1_amd64
    path: /usr/bin/crun
    version: |-
    crun version 1.8.1
    commit: f8a096be060b22ccd3d5f3ebe44108517fbf6c30
    rundir: /run/user/1000/crun
    spec: 1.0.0
    +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
    os: linux
    remoteSocket:
    path: /run/user/1000/podman/podman.sock
    security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
    serviceIsRemote: false
    slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns_1.2.0-1_amd64
    version: |-
    slirp4netns version 1.2.0
    commit: 656041d
    libslirp: 4.7.0
    SLIRP_CONFIG_VERSION_MAX: 4
    libseccomp: 2.5.4
    swapFree: 959180800
    swapTotal: 960491520
    uptime: 0h 23m 1.00s
    plugins:
    authorization: null
    log:
• k8s-file
• none
• passthrough
• journald
  network:
• bridge
• macvlan
  volume:
• local
  registries: {}
  store:
  configFile: /srv/pihole/.config/containers/storage.conf
  containerStore:
  number: 1
  paused: 0
  running: 1
  stopped: 0
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /srv/pihole/.local/share/containers/storage
  graphRootAllocated: 11099406336
  graphRootUsed: 5848473600
  graphStatus: {}
  imageCopyTmpDir: /var/tmp
  imageStore:
  number: 1
  runRoot: /run/user/1000/containers
  volumePath: /srv/pihole/.local/share/containers/storage/volumes
  version:
  APIVersion: 4.3.1
  Built: 0
  BuiltTime: Wed Dec 31 21:00:00 1969
  GitCommit: ""
  GoVersion: go1.19.8
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.1